[Security] Rework firewall's access denied rule #30423
Conversation
dimabory
force-pushed
the
security-access-denied-rework
branch
from
9b2acc0
to
9073c94
Compare
src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php
Outdated
Show resolved
Hide resolved
dimabory
force-pushed
the
security-access-denied-rework
branch
2 times, most recently
from
f1849b3
to
461b2a4
Compare
|
Please use a single PR per issue next time, easier to review. Fixes themself are fine. Status: reviewed |
|
Actually it shouldn't be based on |
|
@chalasr I just discussed with @michaelcullum that I think we should consider merging it into So I'd prefer putting it into |
|
Let's add some notes in the CHANGELOG.md file of the component, and give some instructions in UPGRADE-4.3.md then |
|
@dimabory can you pick that up? |
|
@curry684, @nicolas-grekas I'm not sure about B/C breaking. Can you guide me on what exactly can be broken with this change? |
|
The change may cause the AccessDeniedHandler to be executed now in cases where it wasn't before, and applications may depend on the previous erroneous behavior to some degree. Technically everything that changes existing behavior is to be considered BC breakage, but in this case the old behavior was technically wrong and out of spec, hence why we're accepting the fix in a minor release, but not backporting it. But the PR should mention it in the upgrade guide. |
|
Looking at the patch and the fixed ticket, I think we should merge in 3.4, every bugfix breaks someone's behavior. |
|
I'm mainly hesitant because it'll be a patch level change in low level security behavior. I'm hard pressed to find a harmful scenario but I prefer to err on the side of caution where access control is involved... 😉 |
|
So what's the base branch |
|
3.4. Technically it's correct for a bugfix, I won't object to it and @chalasr is the boss of security component 😉 |
dimabory
force-pushed
the
security-access-denied-rework
branch
from
461b2a4
to
5790859
Compare
|
Thank you @dimabory. |
This PR was merged into the 3.4 branch. Discussion ---------- [Security] Rework firewall's access denied rule | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | ~~#30099~~, #28229 | License | MIT | Doc PR | Follow tickets provided above to reproduce bugs. (there are also some project examples) ~~In addition, I'm looking for someone who knows an answer to [this](#30099 (comment)) regarding rework in this PR.~~ Commits ------- 5790859 Rework firewall access denied rule
|
Excuse me, guys, but I didn't update |
|
@dimabory As this is a bug fix, there is no need to update the CHANGELOG/UPGRADE files. |
| @@ -131,8 +131,6 @@ private function handleAccessDeniedException(GetResponseForExceptionEvent $event | |||
| } catch (\Exception $e) { | |||
| $event->setException($e); | |||
| } | |||
|
|
|||
| return; | |||
There was a problem hiding this comment.
this now calls the accessDeniedHandler even when we call the entry point, which looks weird.
There was a problem hiding this comment.
Good point, but it's pretty much technically in line given the rest of the implementation (it also logs at 123, same thing). Not really trivial to fix given how the flow works...
There was a problem hiding this comment.
So if entry point returns 403 response you get endless redirect loop
|
These changes make log with message "Access denied, the user is neither anonymous, nor remember-me."(https://github.com/chalasr/symfony/blob/fd1408b13869a381fbebf9b9967f7a80e8b141d3/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php#L137) lying, because token may be anonymous on |
|
Also with this PR symfony call access denied handler without any context, that response already generated for anonymous token. In my case my handler doesn't expect calling for anonymous token and I got an infinite redirect. I think it's BC break. |
|
@andrew-demb fix is coming, see #31142 |
…ied rule (dimabory)" (chalasr) This PR was merged into the 3.4 branch. Discussion ---------- Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? |no | Tests pass? | yes | Fixed tickets | #31136 | License | MIT | Doc PR | n/a Commits ------- cd77f6f Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)"
* 3.4: Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" [FrameworkBundle] minor: remove a typo from changelog [VarDumper][Ldap] relax some locally failing tests [Validator] #30192 Added the missing translations for the Tagalog ("tl") locale. Make MimeTypeExtensionGuesser case insensitive
* 4.2: Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" [FrameworkBundle] minor: remove a typo from changelog [VarDumper] fix tests with ICU 64.1 [VarDumper][Ldap] relax some locally failing tests [Validator] #30192 Added the missing translations for the Tagalog ("tl") locale. Make MimeTypeExtensionGuesser case insensitive Fix get session when the request stack is empty [Routing] fix trailing slash redirection with non-greedy trailing vars [FrameworkBundle] decorate the ValidatorBuilder's translator with LegacyTranslatorProxy
#30099, #28229Follow tickets provided above to reproduce bugs. (there are also some project examples)
In addition, I'm looking for someone who knows an answer to this regarding rework in this PR.